On Wed, 2007-03-14 at 16:23 +0000, Matthew Vickery wrote: > Robert Cummings wrote: > > On Wed, 2007-03-14 at 14:50 +0000, Matthew Vickery wrote: > >> The situation is as follows: > >> I wish to protect the entire Website http://www.example.com from > >> direct URL access. i.e. if someone enters http://www.example.com into > >> their browser they get a message stating that they are not authorised > >> to access the site. The only way to access http://www.example.com > >> should be to log into a second site http://www.intranet.com and follow > >> a link from within to http://www.example.com. > >> > >> The problem: > >> I initially thought I should use the predefined PHP variable > >> $_SERVER['HTTP_REFERER'], but the PHP website explains that this > >> "cannot really be trusted" > >> (http://uk2.php.net/manual/en/reserved.variables.php). > >> > >> Next I thought about HTTP authentication. If I password protect the > >> the Website using .htaccess and .htpasswd as follows: > >> Code: > >> > >> AuthName "Login to access the Website" > >> AuthType Basic > >> AuthUserFile /var/www/vhosts/example.com/httpdocs/.htpasswd > >> Require user username > >> > >> > >> Then my link within http://www.intranet.com could simply be: > >> Code: > >> > >> <a href="http://username:password@xxxxxxxxxxxxxxx">Link to example.com</a> > >> > >> > >> However this doesn't seem secure. The username and password are > >> visible to anyone who views the source of the page with the link. > >> Also as these are not encrypted is it not possible for them to be > >> intercepted? > >> > >> I could of course write my own authentication code on > >> http://www.example.com and pass a variable via a GET or POST from > >> http://www.intranet.com, which would cause a login and a cookie to be > >> set there. But this is basically the same as above and still seems > >> insecure! > >> > >> Is there a better/standard way to do this kind of thing? > > > > So you want a user who has authenticated on domain A to be able to > > transparently transfer to domain B? Do they share a common database? Do > > you have scripting access to both systems? > > > > Cheers, > > Rob. > > > Hi Rob, > > Thanks for your reply. > > Yes, I want a user who has authenticated on domain A to be able to > transparently transfer to domain B. > No, domains A and B don't share a common database. > I only have scripting access to domain B. > > Basically I am creating a mini-site on my Web server (domain B) that a > company needs to access securely via their Intranet (domain A), > hopefully without the need to setup an extensive user database and login > system on my Web server that will be additional to their Intranet login... > > I hope this makes thins clearer? It does... but you have no control. What you want to do can't be done with any certainty about the incoming connection. You need control over A to have any kind of security when transferring to B. Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php